Allowing the Kabeen agent in your EDR/antivirus | Docs

EDR/XDR solutions (Sophos, CrowdStrike, etc.) can generate false positives on the Kabeen agent executables. This article explains how to identify these alerts and allow the agent in your security solution so that usage collection is not interrupted.

Symptoms

You may observe the following signs:

Alerts or blocks reported by your EDR/XDR on Kabeen.exe and proxy.exe.
Quarantine of the agent executables.
Workstations that no longer report usage in the platform, because collection is blocked.

Without explicitly allowing the agent in your security solution, collection can be blocked and the affected workstations stop reporting data.

Adding the agent to the allowlist

To restore the agent's operation, add the following items to your EDR/XDR allowlist:

The Kabeen.exe executable.
The proxy.exe executable.
The agent installation folder on Windows:

C:\Program Files\Kabeen

The exact configuration depends on your security solution (the interface and the location of the rules vary from one vendor to another). Refer to your EDR/XDR documentation to create an exclusion for these executables and this folder.

Infrastructure server agent

The same considerations apply on the server side. If you deploy the infrastructure server agent on machines protected by an EDR/XDR, allow the server agent in the same way so that its collection is not blocked.

Alert that appeared suddenly

An alert that appears suddenly on a previously working agent is often caused by a change in the detection algorithm on the EDR vendor's side. In this case:

Keep the agent on the allowlist.
Report the alert to Kabeen support for possible submission of the executable to your security solution's vendor.

Symptoms

Adding the agent to the allowlist

Infrastructure server agent

Alert that appeared suddenly

See also